Fwd: Trump issue 


From: "Strzok, Peter P. (CD) (FBI)" <peter.strzok@ic.fbi.gov> 
To: "Gaynor, Ryan C. (CD) (FBI)" <ryan.gaynor@ic.fbi.gov> 
Date: Wed, 05 Oct 2016 15:02:53 -0400 

eee Original message -------- 


Date: 10/05/2016 2:32 PM (GMT-05:00 

To: "Kelly, Jordan R. (CYD) (FBI)" <Jordan.Kelly@ic.fbi. DL nata "Stranahan, Timothy M. (CE) (FBI)" 
<Timothy.Stranahan@ic.fbi.gov>, "Batty, Nathan C. (CYD) (FBI)" <Nathan. Batty@ic.fbi.gov> 

Cc: HQ-DIV16-ESU-MEDIA <H -DIV16-ESU-MEDIA@ic.fbi .gov>, "Strzok, Peter P. (CD) (FBI)" 
<Peter.Strzok@ic.fbi.gov>, "Moffa, Jonathan C. (CD) (FBI)" <Jonathan. Moffa@ic. fbi.gov>, "Dinardo, 
Robert (CYD) (FBI)" <Robert. DiNardo@ic.fbi.gov>, “Smith, Scott S. (PG) (FBI)" 

<Scott.Smith3 @ic.fbi.gov> 

Subject: RE: Trump issue 


Thanks. Copying CD. 


From: "Sporre, Eric W. PM FBI)" <Eric.Sporre@ic.fbi.gov> 


seeceeee ginal message -------- 

From: “ely, Jordan R. m (FBI)" <Jordan.Kelly@ic.fbi.gov> 

Date: 10/05/2016 2: i GMT-05:00 

To: "Sporre, Eric W. I)" <Eric.Sporre@ic.fbi. GON "Stranahan A el M. (CE) (FBI)" 
<Timothy. ctranahangic fi i a, "Batty, Nathan C. (CYD) (FBI)" <Nathan. Batty@ic.fbi.gov> 


Cc: HQ-DIV16-ESU- MEDIA <HQ- -DIV16-ESU-MEDIA @ic. fbi .gov> 
Subject: FW: Trump issue 


Eric and all: 


FYI on this being out in the media 


From: Mark.H all om {maito: :Mark.Hosenball@thomsonreuters.com] 
Sent: Wednesday, Sache 05, 2016 1:33 P 

To: Kortan, Michael P. (DO) (FBI); Stickels, Jillian B. (DO) (FBI); Cratty, Carol A. (DO) (FBI) 
Subject: Trump issue 


The information below, supposedly posted by private computer experts, suggests some kind of 
transactions through a secret data channel between Alfa Bank in Russia and a supposed “hidden” 
Donald Trump Organization data server. It has been suggested to me that this information and 
scenario is under careful investigation by the FBI. What can you tell me about all of this ? Many 
thanks. 


Mark Hosenball 
Senior National Security Correspondent 
Reuters Washington Bureau 


202 354 5821 


FBI-DWS-25-0000252 
SCO-3500U-015983 


Global DNS Data 


This site provides neutral, factual DNS data, showing how networks communicate with each other. 


1. Look r_maili.trump-email.com 
This data shows communications between Trump, Spectrum, and Russian Alfa Bank networks. 

2. Network Diagram Scenario 
This diagram (png file: 183769 bytes) shows how parties communicated via email using different 
servers. 

3. Check back for more 

4. Leave questions at: tea.leaves@tuta.io 


Summary: 


e Trump and Russia's largest private bank communicate via hidden server since at least 
2016 May 
è Confronted with questions by NYT reporter, Alfa Bank denies any relationship 
e Hidden server belonging to Trump then disappears (no one but Alfa Bank was asked) 
èe Deleted host name mail1.Trump-Email.com is replaced with trump1.contact-client.com 
e Russian Alfa Bank is the first host seen to contact the new trump1. server 
Comments: 


Trump's FEC filings fail to disclose any foreign bank account in Russia or relationship 
with the Russian Alfa Bank. 


Network logs show a distinctively human pattern of communications between a hidden 
server dedicated for use by the Trump Organization and the Russian financial company 


Alfa Bank, which has close ties to the Kremlin. re Sa 
lationships with Alfa Bank and rel n 


The other frequent connection to Trump's hidden server with the same distinctive human 
patem is ate aca a ee Pe with close ties to the DeVos family 

2 : spital). The Devos family 
founded jinam / Alcor which operates in Russia including transactions se ja 
Bank such as buying in Alti from Alfa Bank' 
The Devos family has given iloa of dolore in the past few ane to anaes 
super PACs (www.fec.gov). One member of the Devos family was a founder of Blackwater. 


Trump's hidden server appears to be a specially configured outbound email server. The 
email server type normally would handle outbound bulk advertising or transactional mail 
for a large enterprise to customers, powerful enough to deliver millions of emails per 
day. ( http://www.mark lishi .com/PMTA- ide-4.0.pdf). Different in every 
way from traffic seen on adjacent servers managed by the same server company, this 
specially configured server has been exclusively corresponding with Alfa-Bank and 
Spectrum since at least May 2016 with a cadence and rate of a human conversation. See 
the graph of the connections here. 


The stealth server has had two different names: 
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mail1l.Trump-Email.com (zone deleted on Friday, 2016-Sept-23 after the Russian Alfa- 
Bank was asked by the New York Times to explain the communications) 


and on 2016-Sept-27 a new name showed up: 
trump 1.contact-client.com 


When a reporter from the New York Times (NYT) asked the Russian Alfa Bank for 
comment about the apparent communications, Alfa Bank denied any relationship with the 
Trump Organization. The NYT reporter communicated with no one other than the 
Russian Alfa Bank - yet the Trump-Email.com domain began showing signs of panicked 
reconfiguration within hours of the New York Times asking the Russian Alfa Bank why 
they were making connections to Trump-Email.com. While no errors were seen in all the 
months prior to this question from the reporter - suddenly errors appeared. Two of the 
authoritative name server hosts deleted the zone, while the third authoritative just erased 
the IP from the configuration line and continued to answer authoritatively. This mistake 
can still be demonstrated at the time of this writing. 


The Trump Organization deleted the Trump-Email.com zone shortly before 10 AM 
Eastern US time on Friday Sept 23rd after the NYT reporter called Alfa Bank. This 
suggests a cover-up attempt by Trump and Alfa Bank. It suggests communication from 
Alfa Bank warning the Trump Organization to take action to remove the evidence of the 
hidden server domain, maill.Trump-Email.com. 


The physical server itself was never changed; just the hostname mail1.Trump-Email.com 
stopped pointing to that physical server and the hostname was effectively deleted from 
the global Domain Name System (DNS). 


By September 27th 2016, the Trump Organization had created a new host 
trump 1.contact-client.com pointing to the exact same physical server previously 
operating as mail1.Trump-Email.com. 


The Russian Alfa Bank was the first to contact the newly renamed host, strongly 
indicating again that Trump and Alfa Bank are coordinating with each other and have a 
very Close relationship. After this discovery, they are likely moving conversations to a 
new channel. 


Trump has a bank account with the Russian Alfa Bank, which may explain the need for 
hidden server communications. Alfa Bank / Alfa Group / LetterOne has expressed 
interest in investing billions in US health care companies, which could include Michigan's 
Spectrum Health or could be regarding the financial relationships Amway/Alticor has 
with the Russian Alfa Bank insurance company. 


F.A.Q. 


Are you sure the Trump-Email.com domain really belongs to the Trump Organization? 
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We have 100% confidence. You can verify the complete whois record by going to the 
Godaddy.com website and clicking on WHOIS. While whois records can be forged, we 
also judge authenticity based on the resources used by each domain name. A very 
detailed analysis has been made of thousands of Trump Organization domain names, 
vendors and hosting resources, confirming that this domain without question belongs in 
the same group. 


Excerpt from Trump-Email.com whois record: 


Registrant Name: Trump Orgainzation 

Registrant Organization: Trump Orgainzation 

Registrant Street: 725 Fifth Avenue 

Registrant City: New York 

Registrant State/Province: New York Registrant State/Province: New York 
Registrant Postal Code: 10022 

Registrant Country: US Registrant Country: US 

Registrant Phone: +1.2128322000 
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